[Windows] Add checksum verification for Firefox browser (#8411)

2025-12-30 13:27:15 +08:00 · 2023-10-11 11:06:47 +02:00
parent 6315b7ed2c
commit be42f35015
1 changed files with 10 additions and 3 deletions
--- a/images/win/scripts/Installers/Install-Firefox.ps1
+++ b/images/win/scripts/Installers/Install-Firefox.ps1
@@ -1,16 +1,23 @@
 ################################################################################
 ##  File:  Install-Firefox.ps1
 ##  Desc:  Install Mozilla Firefox
+##  Supply chain security: Firefox browser - checksum validation
 ################################################################################

 # Install and configure Firefox browser
 Write-Host "Install latest Firefox browser..."
 $VersionsManifest = Invoke-RestMethod "https://product-details.mozilla.org/1.0/firefox_versions.json"
-$InstallerName = "firefox-browser.exe"
 $InstallerUrl = "https://download.mozilla.org/?product=firefox-$($VersionsManifest.LATEST_FIREFOX_VERSION)&os=win64&lang=en-US"
-$ArgumentList = ("/silent", "/install")
+$packagePath = Start-DownloadWithRetry -Url $InstallerUrl -Name "FirefoxSetup.exe"

-Install-Binary -Url $InstallerUrl -Name $InstallerName -ArgumentList $ArgumentList
+#region Supply chain security - Stack
+$fileHash = (Get-FileHash -Path $packagePath -Algorithm SHA256).Hash
+$hashUrl = "https://archive.mozilla.org/pub/firefox/releases/$($VersionsManifest.LATEST_FIREFOX_VERSION)/SHA256SUMS"
+$externalHash = (Invoke-RestMethod -Uri $hashURL).ToString().Split("`n").Where({ $_ -ilike "*win64/en-US/Firefox Setup*exe*" }).Split(' ')[0]
+Use-ChecksumComparison $fileHash $externalHash
+#endregion
+
+Install-Binary -FilePath $packagePath -ArgumentList "/silent", "/install"

 Write-Host "Disable autoupdate..."
 $FirefoxDirectoryPath = Join-Path $env:ProgramFiles "Mozilla Firefox"